Description
The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.
When the user interface does not properly reflect what the user asks of it, then it can lead the user into a false sense of security. For example, the user might check a box to enable a security option to enable encrypted communications, but the product does not actually enable the encryption. Alternately, the user might provide a "restrict ALL" access control rule, but the product only implements "restrict SOME".
Potential Impact
Other
Varies by Context
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-1999-1446 | UI inconsistency; visited URLs list not cleared when "Clear History" option is selected. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — User interface inconsistency
Frequently Asked Questions
What is CWE-446?
CWE-446 (UI Discrepancy for Security Feature) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state.
How can CWE-446 be exploited?
Attackers can exploit CWE-446 (UI Discrepancy for Security Feature) to varies by context. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-446?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-446?
CWE-446 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.